From 1a0cf47fe646458938e0892e4ed73326d581a122 Mon Sep 17 00:00:00 2001 From: Ashwin P Chandran Date: Thu, 25 Jan 2024 17:25:07 -0800 Subject: [PATCH] [Security] Updates dev guide for security (#5736) * [Docs] Updates dev guide for security Signed-off-by: Ashwin P Chandran * better default creds Signed-off-by: Ashwin P Chandran * undo changelog changes Signed-off-by: Ashwin P Chandran * Adds sample password Signed-off-by: Ashwin P Chandran --------- Signed-off-by: Ashwin P Chandran --- CHANGELOG.md | 1 + DEVELOPER_GUIDE.md | 35 +++++++++++++++++------------------ src/cli/serve/serve.js | 9 ++++----- 3 files changed, 22 insertions(+), 23 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 9ca74788d8fd..b2357c39c5fa 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -59,6 +59,7 @@ Inspired from [Keep a Changelog](https://keepachangelog.com/en/1.0.0/) - [CI] Enable inputs for manually triggered Cypress test jobs ([#5134](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/5134)) - [CI] Replace usage of deprecated `set-output` in workflows ([#5340](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/5340)) - [Chore] Add `--security` for `opensearch snapshot` and `opensearch_dashboards` to configure local setup with the security plugin ([#5451](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/5451)) +- [Chore] Updates default dev environment security credentials ([#5736](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/5736)) ### 📝 Documentation diff --git a/DEVELOPER_GUIDE.md b/DEVELOPER_GUIDE.md index 2beb18edc526..366445b4513b 100644 --- a/DEVELOPER_GUIDE.md +++ b/DEVELOPER_GUIDE.md @@ -179,6 +179,7 @@ For windows: $ wsl -d docker-desktop $ sysctl -w vm.max_map_count=262144 ``` + ### Next Steps Now that you have a development environment to play with, there are a number of different paths you may take next. @@ -235,6 +236,7 @@ $ yarn opensearch snapshot --P https://repo1.maven.org/maven2/org/opensearch/plu Note - if you add the [`security` plugin](https://github.com/opensearch-project/security), you'll also need to [configure OpenSearch Dashboards for security](#configure-opensearch-dashboards-for-security). ### Plugin development + The osd-plugin-generator tool makes it easier to create a plugin for OpenSearch Dashboards. It sets up the basic structure of the project and provides scripts to build it. Refer to [osd-plugin-generator](https://github.com/opensearch-project/OpenSearch-Dashboards/tree/main/packages/osd-plugin-generator) for more details. #### Other snapshot configuration options @@ -280,29 +282,26 @@ This method can also be used to develop against the [full distribution of OpenSe ### Configure OpenSearch Dashboards for security -_This step is only mandatory if you have the [`security` plugin](https://github.com/opensearch-project/security) installed on your OpenSearch cluster with https/authentication enabled._ +_This step is only needed if you want your dev environment to also start with security. To do so both the OpenSearch node and OpenSearch Dashboards cluster need to have the security plugin installed. Follow the steps below to get setup correctly._ -> 1. Run `export initialAdminPassword=` since it's needed by the configuration script -> 2. Run `yarn opensearch snapshot --security` -> 3. Wait a few seconds while the plugin is installed, configured, and OpenSearch starts up. +To startup the OpenSearch snapshot with security -Then within another window. You can start: +> OpenSearch has strong password requirements and will fail to bootstrap if the password requirements are not met. e.g. myStrongPassword123! -> 1. Run `export OPENSEARCH_USERNAME=admin` -> 2. Run `export OPENSEARCH_PASSWORD=` -> 3. Optional: Run `export OPENSEARCH_SECURITY_READONLY_ROLE=` -> 4. Run `yarn start:security` -> 5. Navigate to OpenSearch Dashboards and login with the above username and password. +1. Run `export OPENSEARCH_INITIAL_ADMIN_PASSWORD=` since it's needed by the configuration script +2. Run `yarn opensearch snapshot --security` +3. Wait a few seconds while the plugin is installed, configured, and OpenSearch starts up. -Once the bootstrap of OpenSearch Dashboards is finished, you need to apply some -changes to the default [`opensearch_dashboards.yml`](https://github.com/opensearch-project/OpenSearch-Dashboards/blob/main/config/opensearch_dashboards.yml#L25-L72) in order to connect to OpenSearch. +Then within another window you can start OpenSearch Dashboards: -```yml -opensearch.hosts: ["https://localhost:9200"] -opensearch.username: "admin" # Default username on the docker image -opensearch.password: "admin" # Default password on the docker image -opensearch.ssl.verificationMode: none -``` +_First make sure to clone the https://github.com/opensearch-project/security-dashboards-plugin repo into the plugins folder and build it (Using `yarn build`). You can follow the instructions here https://github.com/opensearch-project/security-dashboards-plugin/blob/main/DEVELOPER_GUIDE.md#install-opensearch-dashboards-with-security-dashboards-plugin._ + +> You do not have to edit the `config/opensearch-dashboards.yml` file since the `yarn start:security` command sets up the default overrides automatically + +Then do the following: + +1. Run `yarn start:security` +2. Navigate to OpenSearch Dashboards and login with the username `admin` and password ``. For more detailed documentation, see [Configure TLS for OpenSearch Dashboards](https://opensearch.org/docs/latest/install-and-configure/install-dashboards/tls). diff --git a/src/cli/serve/serve.js b/src/cli/serve/serve.js index 28dea22f4a0b..aed5d74a2c01 100644 --- a/src/cli/serve/serve.js +++ b/src/cli/serve/serve.js @@ -80,11 +80,11 @@ function applyConfigOverrides(rawConfig, opts, extraCliOptions) { set('env', 'development'); if (!has('opensearch.username')) { - set('opensearch.username', 'opensearch_dashboards_system'); + set('opensearch.username', 'kibanaserver'); } if (!has('opensearch.password')) { - set('opensearch.password', 'changeme'); + set('opensearch.password', 'kibanaserver'); } if (opts.ssl) { @@ -146,11 +146,10 @@ function applyConfigOverrides(rawConfig, opts, extraCliOptions) { set('opensearch.ssl.verificationMode', 'none'); } - if (get('opensearch.username') === 'opensearch_dashboards_system') { + if (process.env.OPENSEARCH_USERNAME) { set('opensearch.username', process.env.OPENSEARCH_USERNAME); } - - if (get('opensearch.password') === 'changeme') { + if (process.env.OPENSEARCH_PASSWORD) { set('opensearch.password', process.env.OPENSEARCH_PASSWORD); }